DDoS broken apart: when they all start shouting at once

DDoS attacks is yet another common, but under explained, cybersecurity term, even though it’s been used for ages now.

What is denial-of-service attack? There are two kinds: a “simple” DoS and a distributed one. What’s the difference?

Well, imagine that you are talking to a person, then all of sudden they start shouting, and not just shouting but also doing so at an extremely high tempo – at 1274 words per minute, for instance, which is twice as fast as the standing Guinness World Record.

Most likely you’d go deaf, and most certainly won’t get a word, and won’t be able to respond.

That’s what a “simple” denial-of-service attack is. Note that the “assailant” is a single entity.

Now, the distributed attack: Imagine that you are a speaker before a really large audience – 1000+ people. All of sudden, they all, each and every one of them, start talking to you – asking questions and demanding answers pronto. Not even shouting, or talking at thousands of words per minute. They may just speak at their normal rate and noise level. But all of them do it at the same time.

In this case, again, you will most likely go deaf, and – it’s an absolutely sure thing – you won’t be able to respond to any one of their questions. None will hear what you say, even if you have a microphone and a decent sound amplification system in the room.

That’s exactly what a distributed denial-of-service (DDoS) attack is.

Now, of course servers (usual targets for such attacks) aren’t human beings. They aren’t that easy to get overloaded by a large amount of information, but still they – and their communication channels – have their limits.

And that is what attackers are abusing in a large number of ways.

Imagine 1000 people start talking to you all at once. This is a pure DDoS attack.

The most common are various types of flooding. The simplest ones are Ping or UDP flood, in which case attackers are thrashing the target server with ICMP Echo Request packets (ping) or User Datagram Protocol packets, thus consuming the entire bandwidth of the target, which obediently processes and responds to each packet sent.

In a case of a UDP flood attack, the attacker sends a large number of UDP packets to random ports on a remote host, which will check for the application listening at that port, see none and respond with ICMP Destination Unreachable packet. An attacker will most likely spoof the IP, so that returning packets go elsewhere.

Another example – so-called Smurf Attack (named after a source code for an attack program from 1997 – “smurf.c”).

In such an attack large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic. It will still be trying to process it, slowing down to the speed of a calculator from 1970s.

These packets will most likely be senseless trash.

SYN flood is another somewhat similar attack. In this case attacker abuses TCP connection by disrupting normal “three-way handshake”. At the beginning of the TCP connection a client sends a SYN (synchronize) message to the server, server responds with SYN-ACK (synchronize-acknowledge), then client sends his ACK and the connection is established.

Huge botnets are used to launch attacks so it's no wonder they’re hard to deter.

In SYN flood an attacker (a malicious client) either doesn’t send the expected ACK, but keeps sending SYN, multiplying half-open connections; or it feeds the server with spoofed IP, where all of the server’s SYN-ACK go. But since there was no SYN from the client at the falsified IP at first place, it won’t send any ACK back.

In short time all of the target’s bandwidth is swamped.

There are a number of other kinds of DDoS-attacks, but in essence they are all based on the same principle: prepare a large number of malware-ridden boxes (a botnet with DDoS-capabilities), send a command, and they will bomb the target hosts with a huge number of trash packets.

Over the last several months security experts detected a number of “exotic” DDoS-attacks exploiting vulnerable NTP (Network Time Protocol) servers to enhance trash traffic. Since there lots of such vulnerable servers, these attacks are extremely problematic.

Criminals use DDoS as the means of money extortion: pay up or see yourself going out of business. Every hour of a downtime means large losses, so sometimes businesses prefer to pay rather than deal with consequences.

DDoS also is actively used by “hacktivists” as the Web counterpart of street protests (or at least so said Richard Stallman). There are also many cases of using DDoS for politically-motivated suppression of media outlets, etc.

And certainly DDoS attacks are occasionally used as a dirty weapon in business wars too.

So that’s the problem. And the solution?

Defensive responses typically involve the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. In other words, identify malicious traffic, its sender, block them or re-route trash traffic to a nearest Blackhole (null interface or a non-existent server). Easy. Unfortunately easier said than done.

Today attacks are pretty sophisticated, easy to launch (just in the recent news: a 17 y.o. had been arrested in Norway for a massive distributed denial-of-service attack earlier this week that disabled the websites of major financial institutions and other businesses in the country) and uneasy to beat off, especially since the botnets used to launch them are huge, and very difficult to dismantle. Sometimes dealing with a DDoS requires external expertise and/or even migrating the entire affected infrastructure under the protection of some dedicated anti-DDoS service.

A very important part of battling DDoS (which currently occur at the rate 28 attacks per hour, or so) is dismantling botnets themselves. One of our next posts will be dedicated to these activities.